[SOLVED] Selinux blocks sshd from reading authorized_keys fi
Posted: 2013/03/11 18:19:32
I am setting up a new web server using 64 bit CentOS6. One of the requirements is that certain users must be able push updates to /var/www/etc/.. on this server. I manage this on the CentOS5 boxes using the authorized_keys file but the same trick doesn't work on the CentOS6 box.
The generic user is called wwwadmin and is a member of group apache.
wwwadmin:x:230:48::/var/www:/bin/bash
All the permissions look correct
# ls -ldZ /var/www/.ssh
drwx------. wwwadmin apache unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/.ssh
# ls -ldZ /var/www/.ssh/authorized_keys
-rw-r-----. wwwadmin apache unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/.ssh/authorized_keys
(I also tried setting the perms on authorized_keys to 0600 with no luck.)
/var/log/messages reports:
Mar 11 10:19:16 drum setroubleshoot: SELinux is preventing /usr/sbin/sshd from open access on the file authorized_keys. For complete SELinux messages. run sealert -l ecaf5381-38d4-40da-b08f-525a1f14aa77
I check it with sealert
# sealert -l ecaf5381-38d4-40da-b08f-525a1f14aa77
SELinux is preventing /usr/sbin/sshd from open access on the file authorized_keys.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that sshd should be allowed open access on the authorized_keys file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
When I ask audit2allow to make a suggestion, it look like the read access is already granted!
# grep sshd /var/log/audit/audit.log | audit2allow
#============= sshd_t ==============
allow sshd_t httpd_sys_content_t:file open;
#!!!! This avc is allowed in the current policy
allow sshd_t httpd_sys_content_t:file read;
I tried restorecon -r /var/www/.ssh but no luck there either.
Suggestions?
--
Stephen
The generic user is called wwwadmin and is a member of group apache.
wwwadmin:x:230:48::/var/www:/bin/bash
All the permissions look correct
# ls -ldZ /var/www/.ssh
drwx------. wwwadmin apache unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/.ssh
# ls -ldZ /var/www/.ssh/authorized_keys
-rw-r-----. wwwadmin apache unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/.ssh/authorized_keys
(I also tried setting the perms on authorized_keys to 0600 with no luck.)
/var/log/messages reports:
Mar 11 10:19:16 drum setroubleshoot: SELinux is preventing /usr/sbin/sshd from open access on the file authorized_keys. For complete SELinux messages. run sealert -l ecaf5381-38d4-40da-b08f-525a1f14aa77
I check it with sealert
# sealert -l ecaf5381-38d4-40da-b08f-525a1f14aa77
SELinux is preventing /usr/sbin/sshd from open access on the file authorized_keys.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that sshd should be allowed open access on the authorized_keys file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
When I ask audit2allow to make a suggestion, it look like the read access is already granted!
# grep sshd /var/log/audit/audit.log | audit2allow
#============= sshd_t ==============
allow sshd_t httpd_sys_content_t:file open;
#!!!! This avc is allowed in the current policy
allow sshd_t httpd_sys_content_t:file read;
I tried restorecon -r /var/www/.ssh but no luck there either.
Suggestions?
--
Stephen